possible new type of pgp plaintext attack ?

"vedaal" <vedaal@hotmail.com> Tue, 20 August 2002 21:53 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA28585 for <openpgp-archive@lists.ietf.org>; Tue, 20 Aug 2002 17:53:43 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7KLhVY00931 for ietf-openpgp-bks; Tue, 20 Aug 2002 14:43:31 -0700 (PDT)
Received: from hotmail.com (oe15.law3.hotmail.com [209.185.240.119]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7KLhT200927 for <ietf-openpgp@imc.org>; Tue, 20 Aug 2002 14:43:29 -0700 (PDT)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 20 Aug 2002 14:42:28 -0700
X-Originating-IP: [207.127.12.210]
From: "vedaal" <vedaal@hotmail.com>
To: <ietf-openpgp@imc.org>
Subject: possible new type of pgp plaintext attack ?
Date: Tue, 20 Aug 2002 17:40:15 -0400
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Message-ID: <OE15QSktLxHbHucVXqx0000723f@hotmail.com>
X-OriginalArrivalTime: 20 Aug 2002 21:42:28.0973 (UTC) FILETIME=[7B3BB1D0:01C24892]
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit

atfer reading the paper on the pgp reply/plaintext attack,  was wondering if
there might be an additional way to mount a different type of plaintext
attack,
which is independent of the recipient's reply:

consider:

Alice pgp encrypts a message to Bob, and by default, simultaneously to
herself.

Alice can use gnupg to obtain the session key for the message, by
decrypting the default encrypted message to her own key.

The session key, can now be used as a known plaintext,
the packet of the session key encrypted to Bob's public key, is the
ciphertext,

and Bob's [ private key + passphrase hash ] the unknown, that is sought.


now,

if we assume that:
(a) Alice can use a watered-down implementation of pgp that does not use
'salt'

and

(b) Alice can intentionally use a flawed 'crackable' algorithm to encrypt to
Bob's key
{like using an 'experimental algo' in gnupg, but finding/making one that is
easily cracked, or trivial to begin with}

then,
is it possible for Alice to retrieve Bob's [private key + passphrase hash],
which could then be used to decrypt  other messages encrypted to Bob's key ?


TIA,

vedaal